Re: How can i protect against session hijacking?

[David Scholefield <david () port80 com>]

On 3 Apr 2009, at 05:58, AF wrote:

> Debasis Mohanty wrote:
> > So in your opinion if an application is vulnerable to one XSS but  
> > an adverse
> > can exploit the XSS to do 10 different malicious operations, then  
> > the app is
> > vulnerable to 10 issues not 1 XSS?? Won't it give a misleading/vague
> > assessment of vulnerability? No offence but I have seen this before  
> > in many
> > fake consultants reports where they try to blow up an XSS and  
> > exploit in
> > more than one ways to increase the vulnerability count in an report.
> >
> > -d
> Typical. automated web assessment tools reporting 300 critical
> vulnerabilities...all located in one URL, one parameter. Result: a
> 500-pages report that makes the client suffer just as he sees it.


The answer is not to use automated tools for web security assessment!

To be fair, I've seen a number of tools that don't generate bogus 'sub'
vulnerabilities, but in general you get what you pay for, and expertise
is expensive.

----
Dr David Scholefield, CISSP, OPST, MBCS
07525 624 997
www.port80.com

Security in a connected world